Damn you, list software that always does the opposite of what I want. ---------- Forwarded message ---------- From: Andy Linton Date: Wed, Jun 8, 2011 at 2:14 PM Subject: Re: [nznog] Fwd: Re: I don't trust the NZRS DNSSEC procedures... Yet To: Jay Daley

Additionally, the root does not change very often and does not have any form of SLA on how quickly those changes are made, so introducing processes that create significant operational delays is not a problem for the root.  Root zone changes often take days.  This contrasts strongly with .nz where we have a tight SLA that requires us to publish changes within an hour and a bit of receiving them and have metrics governing how much downtime is allowed per server, how quickly changes propagate, how quickly we serve responses, etc.

I think we need to look at this more closely. .nz does not change very often - the zones that change often are co.nz, net.nz etc. So we may have different requirements for those levels. I can envisage govt.nz or mil.nz having different trust requirements from org.nz or geek.nz for example. We haven't delegated those zones in the past but it's possible that might happen. We're lumping .nz and the second level domains together and that may or may not be appropriate. I also think that we should be willing to consider changes in the performance characteristics of the system if it makes it more secure. I would certainly be willing to raise a modified SLA with the DNCL Board. Fast, reliable, cheap - pick two.